From 2ce042d044b0448a1902320af9f3081de144a2c0 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 19 Apr 2009 08:42:49 -0700 Subject: [PATCH] Add IPMARK target support -- first phase --- Shorewall/Perl/Shorewall/Config.pm | 4 +++ Shorewall/Perl/Shorewall/Tc.pm | 43 ++++++++++++++++++++++++++++++ Shorewall/lib.base | 4 +++ 3 files changed, 51 insertions(+) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 3fc3d9df3..e1c2bca27 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -236,6 +236,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT', TIME_MATCH => 'Time Match', GOTO_TARGET => 'Goto Support', LOGMARK_TARGET => 'LOGMARK Target', + IPMARK_TARGET => 'IPMARK Target', CAPVERSION => 'Capability Version', ); # @@ -601,6 +602,7 @@ sub initialize( $ ) { TIME_MATCH => undef, GOTO_TARGET => undef, LOGMARK_TARGET => undef, + IPMARK_TARGET => undef, CAPVERSION => undef, ); # @@ -1941,6 +1943,8 @@ sub determine_capabilities( $ ) { } $capabilities{CLASSIFY_TARGET} = qt1( "$iptables -t mangle -A $sillyname -j CLASSIFY --set-class 1:1" ); + $capabilities{IPMARK_TARGET} = qt1( "$iptables -t mangle -A $sillyname -j IPMARK --addr src" ); + qt1( "$iptables -t mangle -F $sillyname" ); qt1( "$iptables -t mangle -X $sillyname" ); diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index c5ac46065..c51cc3641 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -103,6 +103,12 @@ our @tccmd = ( { match => sub ( $ ) { $_[0] eq 'SAVE' } , mask => '' , connmark => 0 } , + { match => sub ( $ ) { $_[0] =~ /^IPMARK/ }, + target => 'IPMARK' , + mark => NOMARK, + mask => '', + connmark => 0 + } , { match => sub ( $ ) { $_[0] =~ '\|.*'} , target => 'MARK --or-mark' , mark => HIGHMARK , @@ -293,6 +299,43 @@ sub process_tc_rule( $$$$$$$$$$$$ ) { } $sticky++; + } elsif ( $target eq 'IPMARK ' ) { + my ( $srcdst, $mask1, $mask2, $shift ) = ('src', 255, 0, 0 ); + + require_capability 'IPMARK_TARGET', 'IPMARK', 's'; + + if ( $cmd =~ /^IPMARK\((.+?)\)$/ ) { + my $params = $1; + my $val; + + my ( $sd, $m1, $m2, $s , $bad ) = split ',', $params; + + fatal_error "Invalid IPMARK parameters ($params)" if $bad; + fatal_error "Invalid IPMARK parameter ($sd)" unless ( $sd eq 'src' || $sd eq 'dst' ); + $srcdst = $sd; + + if ( defined $m1 && $m1 ne '' ) { + $val = numeric_value ($m1); + fatal_error "Invalid Mask ($m1)" unless defined $val; + $mask1 = $m1; + } + + if ( defined $m2 && $m2 ne '' ) { + $val = numeric_value ($m2); + fatal_error "Invalid Mask ($m2)" unless defined $val; + $mask2 = $m2; + } + + if ( defined $s ) { + $val = numeric_value ($s); + fatal_error "Invalid Shift Bits ($s)" unless defined $val; + $shift = $s; + } + } else { + fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK'; + } + + $target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift"; } if ( $rest ) { diff --git a/Shorewall/lib.base b/Shorewall/lib.base index c7a3f57f6..ac07b223a 100644 --- a/Shorewall/lib.base +++ b/Shorewall/lib.base @@ -758,6 +758,7 @@ determine_capabilities() { TIME_MATCH= GOTO_TARGET= LOGMARK_TARGET= + IPMARK_TARGET= chain=fooX$$ @@ -851,6 +852,7 @@ determine_capabilities() { fi qt $IPTABLES -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes + qt $IPTABLES -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes qt $IPTABLES -t mangle -F $chain qt $IPTABLES -t mangle -X $chain qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes @@ -945,6 +947,7 @@ report_capabilities() { report_capability "Time Match" $TIME_MATCH report_capability "Goto Support" $GOTO_TARGET report_capability "LOGMARK Target" $LOGMARK_TARGET + report_capability "IPMARK Target" $IPMARK_TARGET fi [ -n "$PKTTYPE" ] || USEPKTTYPE= @@ -1000,6 +1003,7 @@ report_capabilities1() { report_capability1 TIME_MATCH report_capability1 GOTO_TARGET report_capability1 LOGMARK_TARGET + report_capability1 IPMARK_TARGET echo CAPVERSION=$SHOREWALL_CAPVERSION }